[Samba] share permissions
Kevin Field
kev at brantaero.com
Thu Aug 22 10:59:11 MDT 2013
Oh, I see. At first I read it as /home/me/srv. Gotcha. It works!
Thanks very much Ricky! -K
On 2013-08-22 12:49 PM, Ricky Nance wrote:
> It looks at all of them, but the important thing is that its 0755 all
> the way to the folder being used (if there is any XXX0 permissions on
> the way to the folder it will cause things to fail, which is the case
> with the 'me' part of /home/me/share as it has 0700 permissions).
>
>
> On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field <kev at brantaero.com
> <mailto:kev at brantaero.com>> wrote:
>
> Oh, so it only looks at the immediate parent's permissions? Not the
> grandparent? I find that even more bewildering but a whole lot
> easier to work with if that's the case :)
>
> Thanks,
> Kev
>
>
> On 2013-08-22 11:44 AM, Ricky Nance wrote:
>
> No, you can use /home/srv/share as long as srv (under home) is 755
> permissions. Samba does run as root, but it also still obeys the
> rules
> underlying file system.
>
> Ricky
>
>
> On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field <kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>> wrote:
>
> I can understand that.
>
> However, I'm a bit confused about how this is supposed to be
> practical in the case of Samba. Samba runs as root, so it
> can see
> everything. I'm telling it to share a particular folder.
> Why should
> it look at the ACLs of folders above that, when there's no
> way they
> will be otherwise accessible via Samba?
>
> The reason I bother with this question is that /home and
> /srv are on
> two different partitions. I set it up so that the bulk of
> space
> would be available under /home. Okay, so it sounds like
> links can
> come to rescue here. I dig around and it seems that hard
> links on
> directories have not been allowed since the 70's. Symbolic
> links
> could work, but if you enable the following of symbolic
> links in
> smb.conf, it can open up security holes. So to me it seems
> there's
> no workaround for a design that doesn't make sense in the first
> place (checking the ACLs of parent directories even if
> you're root
> and they're irrelevant to the application of sharing the given
> directory.)
>
> Am I missing something?
>
> Thanks,
> Kev
>
>
> On 2013-08-20 11:22 AM, Ricky Nance wrote:
>
> Permissions are hard to explain (possibly because I
> don't fully
> understand them myself I guess), but if you have a
> directory
> (say /srv)
> and you give it 0700 permissions, then only the person
> that owns
> that
> directory is able to see anything under it, however if
> you give
> it 0755,
> then ANYONE can see (the second 5 is R-X for everyone)
> whats in
> there,
> now you have a directory under that, lets call it
> share, (so
> /srv/share)
> and you give it permissions of 0777, then everyone can
> read/write in the
> share folder, but no one can write to the /srv folder
> except the
> owner.
> So when you had a share under /home/user (which is
> typically
> /home is
> 755, and the /home/user is 0700) then no one had access
> to the
> underlying directories (even if the underlying
> directory is 777,
> because
> the user simply can't get to that point)...
>
> If anyone disagree's or could explain this better
> please feel
> free to do
> so, I am not opposed to learning new things :)
>
> Ricky
>
>
> On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field
> <kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>>> wrote:
>
> Aha! Moving it worked. I can now see it from
> Windows. If
> I chmod
> 777 on the directory I can also add files to it
> from Windows.
>
> However, I don't quite understand why the parent
> of the share
> directory affects it. BTW /home/me has 700
> permissions and
> /srv has
> 755. If the +x on /srv allows the +x on my test share
> directory to
> allow Windows to browse it, why doesn't the -w on /srv
> prevent the
> +w on my test share directory from allowing Windows to
> create files
> there? I always thought negative permissions took
> precedence in
> ACL, generally?
>
> Thanks,
> Kev
>
>
> On 2013-08-20 10:22 AM, Kevin Field wrote:
>
> Hi Ricky,
>
> I don't think I should have to reboot.
> setenforce is
> documented
> to work
> without rebooting. If I need to reboot a
> Linux server to
> troubleshoot
> something like this--and I hear SELinux is often a
> first thing
> to try
> disabling to troubleshoot--then it's worse
> than Windows for
> rebooting
> requirements. But I'm pretty sure that's
> simply not true.
>
> Otherwise this is meaningless:
>
> $ sudo setenforce 0
> $ sudo getenforce
> Permissive
>
> Also I'm a bit confused as to why the
> permissions on /home
> should affect
> /home/me if I've explicitly set them on
> /home/me and
> haven't defined
> some kind of ACL inheritance policy. Is it
> the default
> that higher
> directories' permissions override lower ones
> in CentOS?
> Or is it a
> Samba fileshare thing? I would like to know
> exactly
> how this
> works, but
> in any case, I'll try moving the share and see
> how it goes.
>
> Thanks,
> Kev
>
> On 2013-08-17 9:47 AM, Ricky Nance wrote:
>
> Have a look at
> http://www.centos.org/docs/5/______html/5.2/Deployment_Guide/____sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/____html/5.2/Deployment_Guide/__sec-__sel-enable-disable.html>
>
> <http://www.centos.org/docs/5/____html/5.2/Deployment_Guide/__sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html>>
>
>
>
>
> <http://www.centos.org/docs/5/____html/5.2/Deployment_Guide/__sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html>
>
> <http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html
> <http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html>>>
> and
> you will probably have to reboot after
> making the
> changes. I
> have seen
> this cause more problems then not, so I
> would start
> with
> disabling it
> and see if it fixes your problem. Also
> since you
> are using a
> /home/me
> before your share, you need to make sure
> you have
> at least 755
> permissions in both /home and /home/me, it
> might be
> a good
> idea to make
> a directory named /srv/mytestshare instead.
>
> Ricky
>
>
> On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field
> <kev at brantaero.com
> <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>>>> wrote:
>
> Interestingly, I couldn't turn off
> selinux
> using their
> method:
>
> $ sudo echo 0 > /selinux/enforce
> -bash: /selinux/enforce: Permission
> denied
>
> Perhaps it's a CentOS thing. Anyway,
> `sudo
> setenforce
> 0` seemed to
> work in that it didn't give me an error
> message, but
> OTOH didn't
> seem to work in that the output of ls
> -alhDZ
> was the same:
>
> drwxrwxr-x. me me
>
> unconfined_u:object_r:samba_________share_t:s0
>
>
> mytestshare
>
> But in any case, it still gives me
> the same
> error from
> Windows.
>
> Also something strange happened,
> after a while
> I could
> not navigate
> to \\newdc without a similar error,
> but I had
> not been
> doing
> anything in the system, so I'm not
> sure what
> might have
> caused it.
> Running `sudo killall samba` and
> then `sudo
> samba`
> made it
> suddenly be browseable again. Maybe not
> related...not
> sure...
>
> Anyway thanks for your help, Ricky.
> Any other
> ideas?
> BTW I had set
> up the selinux permissions on the
> mytestshare
> dir per
> the HOWTO at
> http://wiki.centos.org/HowTos/________SetUpSamba
> <http://wiki.centos.org/HowTos/______SetUpSamba>
> <http://wiki.centos.org/__HowTos/____SetUpSamba
> <http://wiki.centos.org/HowTos/____SetUpSamba>>
>
> <http://wiki.centos.org/____HowTos/__SetUpSamba
> <http://wiki.centos.org/__HowTos/__SetUpSamba>
> <http://wiki.centos.org/__HowTos/__SetUpSamba
> <http://wiki.centos.org/HowTos/__SetUpSamba>>>
>
> <http://wiki.centos.org/______HowTos/SetUpSamba
> <http://wiki.centos.org/____HowTos/SetUpSamba>
> <http://wiki.centos.org/____HowTos/SetUpSamba
> <http://wiki.centos.org/__HowTos/SetUpSamba>>
>
>
>
> <http://wiki.centos.org/____HowTos/SetUpSamba
> <http://wiki.centos.org/__HowTos/SetUpSamba>
> <http://wiki.centos.org/__HowTos/SetUpSamba
> <http://wiki.centos.org/HowTos/SetUpSamba>>>> . I'm pretty
> sure that's
> why it says samba_share_t on the ls
> output above.
>
> Kev
>
>
> On 2013-08-16 11:52 AM, Ricky Nance
> wrote:
>
> Temporarily turn off selinux, if that
> fixes your
> issue you will
> need to
> adjust the selinux rules to take
> care of the
> problem (or just
> completely
> disable selinux). Also if you do
> a ls -alhDZ
> /home/me/mytestshare before
> you turn it off it can tell you
> if selinux
> is on,
> then run that
> again
> after its turned off to confirm.
> You can
> read about
> disabling/turning
> off selinux
>
>
>
> at�http://www.revsys.com/________writings/quicktips/turn-off-________selinux.html
> <http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html>
>
> <http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>>
>
>
>
> <http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>>>
>
>
>
>
> <http://www.revsys.com/______writings/quicktips/turn-off-______selinux.html
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html>
>
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>>
>
>
> <http://www.revsys.com/____writings/quicktips/turn-off-____selinux.html
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html>
>
> <http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html
> <http://www.revsys.com/writings/quicktips/turn-off-selinux.html>>>>
>
> Ricky
>
>
> On Thu, Aug 15, 2013 at 10:44 PM,
> Kevin Field
> <kev at brantaero.com
> <mailto:kev at brantaero.com> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com <mailto:kev at brantaero.com>>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>
> <mailto:kev at brantaero.com
> <mailto:kev at brantaero.com>>>>>> wrote:
>
> I have a share setup on a
> Samba 4.0.8
> / CentOS
> 6.4 box
> that is
> successfully replicating
> with a W2K3
> server. �I'm
> following the
> HOWTO here:
>
> https://wiki.samba.org/index.__________php/Setup_and___configure_____file_____shares
> <https://wiki.samba.org/index.________php/Setup_and_configure_____file_____shares>
>
> <https://wiki.samba.org/index.________php/Setup_and_configure_____file_____shares
> <https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares>>
>
>
> <https://wiki.samba.org/index.________php/Setup_and_configure_____file_____shares
> <https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure___file_____shares
> <https://wiki.samba.org/index.____php/Setup_and_configure_file_____shares>>>
>
>
>
> <https://wiki.samba.org/index.________php/Setup_and_configure_______file___shares
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>>
>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>>>
>
>
>
>
>
> <https://wiki.samba.org/index.________php/Setup_and_configure_______file___shares
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>>
>
>
>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>>
>
>
>
> <https://wiki.samba.org/index.______php/Setup_and_configure_____file___shares
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>>
>
>
> <https://wiki.samba.org/index.____php/Setup_and_configure___file___shares
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares>
>
> <https://wiki.samba.org/index.__php/Setup_and_configure_file___shares
> <https://wiki.samba.org/index.php/Setup_and_configure_file_shares>>>>>
>
> [mytest]
> � � � � path =
> /home/me/mytestshare
> <-- with
> or without
> trailing slash
> � � � � read only = No
>
> On the W2K3 box, I can browse to
> \\newdc and I
> see my test
> share
> listed there. �I can also
> see it if I
> connect
> to newdc in
> Computer
> Management. �However, what I
> can't
> get from
> either of those
> places
> is a Security tab if I
> right-click
> the share
> and go to
> Properties.
> �There's a Share Permissions
> tab in
> CM only
> that says that
> Everyone
> has Full Control. Despite
> that, if I
> try to
> double-click
> the share
> in Explorer, I get:
>
> ---------------------------
> \\newdc
> ---------------------------
> \\newdc\mytest is not
> accessible. You
> might
> not have
> permission to
> use this network resource.
> Contact the
> administrator of
> this server
> to find out if you have access
> permissions.
>
> Access is denied.
>
> ---------------------------
> OK
> ---------------------------
>
> My account has all
> privileges I can
> think of,
> including the
> SeDiskOperatorPrivilege as
> laid out
> in the HOWTO.
>
> Even if I chmod 777
> /home/me/mytestshare I get
> this error.
>
> What am I missing?
>
> Thanks,
> Kev
> --
> To unsubscribe from this
> list go to the
> following URL and
> read the
> instructions:
>
>
>
> �https://lists.samba.org/__________mailman/options/samba
> <https://lists.samba.org/________mailman/options/samba>
> <https://lists.samba.org/________mailman/options/samba
> <https://lists.samba.org/______mailman/options/samba>>
>
>
> <https://lists.samba.org/________mailman/options/samba
> <https://lists.samba.org/______mailman/options/samba>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>>>
>
>
>
> <https://lists.samba.org/________mailman/options/samba
> <https://lists.samba.org/______mailman/options/samba>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>>>>
>
>
> <https://lists.samba.org/________mailman/options/samba
> <https://lists.samba.org/______mailman/options/samba>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>>>
>
> <https://lists.samba.org/______mailman/options/samba
> <https://lists.samba.org/____mailman/options/samba>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>>
>
> <https://lists.samba.org/____mailman/options/samba
> <https://lists.samba.org/__mailman/options/samba>
> <https://lists.samba.org/__mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>>>>>
>
>
>
>
>
>
More information about the samba
mailing list